Threat Detail

Overview

Minimum Engine

5600.1067

File Length

Description Added

2006-12-11

Description Modified

2006-12-11

Malware Proliferation

Characteristics

Symptoms

Method of Infection

Removal

For most previous variants of this malware, McAfee provides protection via signatures. Please ensure to have the most up to date DATs and Engine. For the most recent variant where McAfee (or your security product) may be disabled, please follow the following manual cleaning instructions. A standalone tool may be provided in the near future to help remediate this Threat.

NTFS Folder Permission AlterationBesides killing any security tool trying to access its files or processes, newer variants of ZeroAccess implemented a new protection method to disable security tools.Once the process is killed, the rootkit will remove all NTFS permissions disallowing the execution of the file afterwards. This method of disabling security tools has been seen before in malware families like W32/Pinkslipbot and W32/Simfect.The file permissions may be restored by running the following actions.

Right-click the parent folder of the affected files and choose Properties.

In the window that opens, chose the Security Tab.

Click in Advanced.

There will be two checkboxes below the list of permissions. If the checkbox for Inherit Parents Permissions is checked, uncheck it.

Check the Inherit box again to inherit permissions from the parent folder.

Check the box to copy permissions to children objects. This will replace the permissions that were removed by the malware.

Do not execute VSE until executing the procedures below, or it will be killed again.

Manual Remediation steps:The malicious code is loaded by the patched system driver. In order to clean the system manually, its necessary to identify the malicious .SYS file and replace it with a good copy from installation media.In order to identify which system driver was replaced, the user is going to need the following tool:

First of all, the machine must be disconnected from the internet to avoid reinfection in case any other malware is downloading and installing ZeroAccess.

Execute GMER, and disable the options as shown in the circle marked in RED below to avoid scanning the malware monitored file and process:

Enable the option circled in BLUE to make GMER scan the system IRP hooks.

Start the rootkit scan and wait for it to finish.

If the system is infected, GMER will show the name of the patched .SYS file as shown in the YELLOW circle above. Take note of this name.

Look at the following folder and search for a file with same name as noted above: %SYSTEMROOT%\ServicePackFiles\i386

If there is a copy of the file in the folder above, copy it to the root of drive C:. It will be needed later.

If the file is not present in the folder above, it will be necessary to copy the file from an installation media, or another machine with the same Windows version and language.

Boot the infected machine with a clean boot media like BartPE or another boot CD.

From the clean boot, copy the file stored in the root folder that was copied above, to the location of the patched system driver.ex: copy c:\mrxsmb.sys c:\windows\system32\drivers\mrxsmb.sys

Reboot the system in safe mode and log in as the Administrator user.

Execute the CSSCAN command line tool using the Beta DATs to remove any Trojan or infected file from the system:a. VSE 8.7: C:\Program Files\McAfee\VirusScan Enterprise\csscan.exe All Unzip Program Analyze Sub Clean Log c:\scan-rpt.txt C:\

Run GMER again to confirm that no malicious threads of patched files exist anymore.

Standalone Removal Tool Instructions:

Alternatively, McAfee is making available a standalone tool to detect and remove ZeroAccess rootkit from customers infected machines. The tool is available for download here

NOTE: McAfee has prepared this standalone tool to assist with the remediation of this Threat. McAfee Quality Assurance team has NOT tested or approved these files for release. McAfee Makes no warranty that these files will be free from errors or other interruptions or that they will meet your requirements. In the meantime, users are requested to use caution when utilizing it to combat ZeroAccess.

Extract the tool to a temporary folder. Run it by simply executing it from the command line. The following image shows what is expected in case the tool successfully detect and remove the malware:

ZeroAccess has been known to be accompanied by other malware. Therefore, as an option, customer may use the latest Beta DATs available here which may be used with the csscan.exe command line scanner as shown on the instructions above.